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MEMORANDUM FOR: Chief, 


VIA i 
FROM* 

SUBJECT* 


Deputy Director for Administration 


Bruce T. Johnson 
Director of Date Processing 


Response to | | 

Threat Assessment 


Request 


for ADP Security 


REFERENCE* 


Memo 

1981 


from 


dtd 17 November 
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1. Attached Is a draft reply to reference. It has 
been coordinated with the interested offices in the DDA* 
Data Processing, Logistics, and Security. Me have not 
coordinated it with'ci staff or any other component of the 
DDO, 
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2, If you have any questions, 

is available to follow up on this reply. 

jBitiet T. Oehneon 

Bruce T. Johnson 
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Security Threat to ADP Systems During Acquisition 


Reference : 

'hdf Fiuy rammers - possible Threat From Hostile 
Intelligence Service, dtd 17 Nov 81 
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We share your concerns, described in the reference, 
regarding the security of computer systems during acquisition. 

We regret that we are unable to provide quantitative estimates of 
the liklihood of the events you have described. It is our 
judgment, however, that b oth threats are real and must be 
defended against, f~~ 


Event (a) of your memorandum, describes the theft of 
hardware, software or documentation from a vendor's premises or 
while in transit. We presume here you are speaking of 
classified, and not commercially available unclassified ADP 
systems. We have in place an elaborate industrial security 
program to protect against the compromise of classified 
information, equipment or software from a contractor's 
facility. This program involves physical, technical, and 
personnel security initiatives. In addition, we have an 
industrial ADP security program to assure that information 
processing activities at a f con tr actor ' s facility are protected 
from security compromise. 


We interpret event (b) of your memorandum to refer to the 
covert modification of nominally unclassified commercially 
available hardware or software. This would include;, among other 
activities: modification to assist a covert penetration; 

modification to permit the covert capture of data for later 
removal; alteration of the emanations (TEMPEST) characteristics 
of the equipment; sabotage of the system (to cause random 
destruction of data, intermittent malfunction, etc.). The 
possibilities are only limited by the: imagination of the 
adversary. Protection against this '"Trojan Horse" attack is far 
more difficult because of the complexity of modern hardware and 
software and the uncontrolled nature of the commercial 
environment. Our approach to date involves dealing only with 
"trusted" vendors, using equipment in a secure environment with 
only security cleared personnel having access (including 
maintenance personnel), and enforcing rigorous TEMPEST 
standards. We recognize that these procedures may not be fully 
adequate and are continuously working to improve them. 
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We do not consider the concerns you have raised academic. 

We know the Soviets have actively targeted the U.S. industrial 
community for covert activity. We further are aware that the 
Soviets continue to attempt to intercept transmissions between 
the U.S. Government and its contractors and vendors. To date, we 
are not aware of a Soviet success in the "Trojan Horse" 
scenario. Although they have, as you know, had success in the 
theft of clas sified information from nominally secure industrial 
environments I I 


We are prepared to discuss these important matters further 
with your personnel at your convenience. Components of our 
Office of Security can provide information on industrial security 
policy and procedures. We are, of course, also prepared to 
discuss the general area of ADP security. With knowledge of the 
precise situation you are co nfron ted with, we may be able to 
provide further assistance. | | 

We hope these comments have been helpful. We recognize that 
the area of ADP security is fraught with difficulties and 
administrative and technical challenges. We would appreciate any 
further thoughts you may have on these problems or our comments, 
or any addition al exp erience you may have that you would like to 
share with us. 
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